Protect against SSL/TLS CBC vulnerability

In this article we'll discuss a server side fix for the SSL 3.0 (Secure Socket Layer) and TLS 1.0 (Transport Layer Security) vulnerability in handling ciphers that use CBC (Cipher-Block-Chaining). If you read our previous article on how to pass PCI compliance scans, this is one of the tests that a PCI vendor might fail your website on when they scan it.

As of April, 2012, PCI scanning vendors started identifying web servers running SSL 3.0 and TLS 1.0 as vulnerable even when not running Java. There was only one known exploit released called BEAST (Browser Exploit Against SSL/TLS) which was a web-browser only attack. However some PCI vendors will still fail your server as a security precaution, if this is the case you can use the steps below to update your service's cipher to a stream cipher such as RC4, rather than a block cipher.